Guide On Generative Artificial Intelligence And The Protection Of Personal Data Has Been Published

On November 24, 2025, the Personal Data Protection Authority published the Guide on Generative Artificial Intelligence¹ ("GAI") and the Protection of Personal Data ("Guide"). This Guide explains the steps that companies developing, integrating, or using GAI systems must take as data controllers and their compliance obligations. The points to consider when using GAI per the Guide are summarized below.

a) Determination of Roles and Responsibilities:

• According to the Guide, the roles of data controller and data processor are more difficult to determine than in traditional methods due to the complex and dynamic nature of the system.

• In this context, the actual control and decision-making authority of the parties over personal data processing activities, rather than contractual language, is the basis for determining the roles. A general approach should be avoided, and the nature and context of each processing activity should be considered.

• The Data Controller is the party that makes fundamental decisions regarding the processing of personal data.

• The Data Processor is the party that carries out the technical aspects of processing personal data on behalf of the data controller based on the data controller's instructions.

b) Compliance with General Principles:

• Personal data processed through GAI must be processed in accordance with general principles.

• Only necessary data should be processed; data should not be collected indiscriminately on the assumption that it may be needed later.

• To prevent the model from producing hallucinations (incorrect outputs) and from being discriminatory, the accuracy, timeliness, and representativeness (freedom from bias) of the training data sets must be ensured.

• Data should be deleted, destroyed, or anonymized once the purpose of processing has been fulfilled.

• For personal data processing activities with GAI systems to be lawful, regardless of the technology used, it is mandatory to rely on at least one of the limited processing conditions in the Personal Data Protection Law No. 6698 ("PDPL").

• Each step of the processing activities (development, operation, output production, etc.) can be considered an independent process and, therefore, a separate legal basis must be determined for each. In this context, one of the processing conditions set out in Articles 5 and 6 of the PDPL must be present for each processing activity. Explicit consent is not a priority processing condition and should only be obtained if other legal grounds are not available.

c) Information and Transfer Abroad:

• Users must be clearly informed when they are interacting with a GAI system (e.g., a chatbot).

• Transparent and accessible privacy notices must be provided regarding the sources from which data is collected (including web scraping), how it is processed, and the purpose for which it is used.

• If GAI systems are used whose servers are located abroad, the conditions for data transfer abroad (adequacy decision or appropriate safeguards) set out in Article 9 of the PDPL must be complied with.

d) Use of Data Subject Rights:

• The rights of data subjects set out in Article 11 of the PDPL must also be provided and exercised by data subjects in the context of GAI system use.

• If decisions made solely by automated systems (GAI) about individuals have adverse consequences for them, the opportunity to object to this outcome must be provided, and the necessary mechanisms must be established to enable individuals to exercise their rights to erase, rectify, or obtain information about their data within these complex systems.

e) Measures on Data Security:

• Personal data security measures must be taken.

• Examples of these measures include (i) integrating data protection measures (Privacy by Design) while the system is still in the design phase, (ii) conducting penetration tests such as "Red Teaming" tests to identify security vulnerabilities in the system, and (iii) encouraging the use of synthetic data or privacy-enhancing technologies instead of real personal data where possible.

Footnote

1 Within the scope of the Guide, Generative Artificial Intelligence is defined as a type of artificial intelligence that is trained on large-scale data sets and can generate content in various formats such as text, images, video, audio, or software code in response to a user-entered prompt or command.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.